Oct 8, 2014

A document containing various references for programming automated teller machines (ATMs) has been found online using the Chinese Baidu search engine.

News of malware designed specifically for ATMs has become more frequent lately, and with such an asset at the disposal of malware authors, things may have just started to get worse. Security researchers at F-Secure found the API documentation for cashpoints manufactured by NCR Corporation, which would help a malicious actor create malicious code that can interact with the ATM. These machines run on Windows Embedded operating system and feature some differences when compared to the regular editions of the OS.

Understanding malware behavior prompts documentation search

The search for this type of file was determined by the fact that the researchers could not connect the dots about specific inner working of an ATM malware they analyzed. In particular, for the attackers to be able to control the malware, a connection to the machine’s pin pad had to be created through available APIs. However, what F-Secure could not put together was how the malware author knew which process should be used for this task, since Microsoft does not provide documentation on a DLL library (MSXFS.dll) that seems to be specific to ATMs and self-service terminals running Windows Embedded. “Therefore, we did some web searches for the API documentation using the API name and the pin pad service name,” the F-Secure says in a blog post.

It seems that finding the documentation was not a painstaking job, which means that malware authors should also have no trouble accessing it. And when a document has been leaked online, despite all efforts to remove it, there is no guarantee that it has been completely eliminated.

Malware added to ATM from CD, just like Tyupkin

F-Secure started their search after learning news about ATMs in Malaysia having been robbed of approximately $1 million / €790,000. According to the Malaysian police report, the thieves infiltrated malware identified as Backdoor.Padpin by Symantec installing it from a CD, which means physically tampering with the ATMs lock to get access to the CD-Rom drive. PadPin creates a file called “ulssm.exe” and attempts to remove the “AptraDebug.lnk” shortcut file from the operating system’s startup folder and the registry key “AptraDebug.” All this, including the DLL library used, is consistent with a recent report from Kaspersky about Tyupkin ATM malware, which was discovered to target cashpoints in Russia. However, as per Kaspersky’s data, one sample has been detected in Malaysia, too.

It appears that Tyupkin has been used in Russia to extract millions of dollars without the need to insert a card into the cash machine. “The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,” said Vicente Diaz, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team. “We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions,” Diaz added.